funsec mailing list archives
RE: Security Vendor Bypasses Microsoft's Vista PatchGuard
From: Larry Seltzer <Larry () larryseltzer com>
Date: Wed, 25 Oct 2006 14:43:27 -0400
The reason kernel hooking is an issue is that in order for an AV or AS
to adequately protect itself from being disabled by malware, it has to hook the kernel to do so. Not to get into a semantic argument, but this sounds like intrusion prevention to me. The actual AV and AS scanning capabilities can be done entirely through filters. And the APIs Microsoft is talking to security vendors about creating are essentially a new set of filters for events involving processes, memory, named objects, and other sorts of things that HIPS monitors through kernel patching. Too bad it will be a long time before they're ready.
As a side note, most of these attacks would fail were it not for user
accounts running with administrator privs in the typical home setup. Absolutely, and this should definitely be much less of a problem on Vista where you have to click the "Please Shoot Me" button to get a privileged user account. The norm will be less-privileged accounts. Of course if a user installs a new program they download from who-knows-where and the system says that it needs admin privileges and the user says yes then only PatchGuard stands in its way. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Security Vendor Bypasses Microsoft's Vista PatchGuard Fergie (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Valdis . Kletnieks (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)
- RE: Security Vendor Bypasses Microsoft's Vista PatchGuard Larry Seltzer (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard John LaCour (Oct 25)
- RE: Security Vendor Bypasses Microsoft's Vista PatchGuard Larry Seltzer (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Drsolly (Oct 25)
- RE: Security Vendor Bypasses Microsoft's Vista PatchGuard Larry Seltzer (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Nick FitzGerald (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Nick FitzGerald (Oct 25)